[Bug 239977] Integer Overflow: ping(8) option "-G" and "-g", bypass the invalid sweepmax and sweepmin packet size check

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239977

            Bug ID: 239977
           Summary: Integer Overflow: ping(8) option "-G" and "-g", bypass
                    the invalid sweepmax and sweepmin packet size check
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: bugs at FreeBSD.org
          Reporter: neerajpal09 at gmail.com

Integer Overflow is observed in ping(8) command line option "-G" and option
"-g".

* sbin/ping/ping.c:350 (-G) and sbin/ping/ping.c:364 (-g)

** "sweepmax = ltmp;" & "sweepmin = ltmp;" <= storing long value to int
variable

providing option "-G" with value 4294967297 and "-g" with 4294967292, will
bypass the check at sbin/ping/ping.c:339 and at sbin/ping/ping.c:354 and will
try to send packet with illegal range like (-4 ... 1) data bytes

[Steps to reproduce]

* root at freebsd:/usr/src/sbin/ping # ping -G 5 -g -1 localhost 
ping: invalid packet size: `-1'

* root at freebsd:/usr/src/sbin/ping # ping -G 4294967297 -g 4294967292 localhost
PING localhost (127.0.0.1): (-4 ... 1) data bytes
8 bytes from 127.0.0.1: icmp_seq=4 ttl=64
9 bytes from 127.0.0.1: icmp_seq=5 ttl=64

--- localhost ping statistics ---
6 packets transmitted, 2 packets received, 66.7% packet loss

[Impact]
Bypass the check for invalid packet size and will try to send packet with
illegal sweepmax and sweepmin size properties.

Note: root privilege is required.

-- 
You are receiving this mail because:
You are the assignee for the bug.